You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by sunko2014 <su...@gmail.com> on 2013/10/09 03:19:57 UTC
Re: [jira] [Updated] (CLOUDSTACK-4829) vnc access instance's console
through apikey failed
I have the same problem
On Tue, Oct 8, 2013 at 5:28 PM, huyao (JIRA) <ji...@apache.org> wrote:
>
> [
> https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
>
> huyao updated CLOUDSTACK-4829:
> ------------------------------
>
> Affects Version/s: (was: 4.2.0)
> 4.1.1
>
> > vnc access instance's console through apikey failed
> > ---------------------------------------------------
> >
> > Key: CLOUDSTACK-4829
> > URL:
> https://issues.apache.org/jira/browse/CLOUDSTACK-4829
> > Project: CloudStack
> > Issue Type: Bug
> > Security Level: Public(Anyone can view this level - this is the
> default.)
> > Components: VNC Proxy
> > Affects Versions: 4.1.1
> > Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack
> 4.1.1
> > Reporter: huyao
> > Priority: Critical
> >
> > I compiled cloudstack 4.1.1 source code in cygwin, then test it using
> jetty, it works fine. But, when I access instance's console through vnc
> using apikey, it fails, the browser shows the follow message:
> > Access denied. Invalid web session or API key in request
> > my url:
> >
> http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D
> > I test the listAccounts api, it's ok.
> > my url:
> >
> http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D
> > then, I debug the source code, find where it fails.
> > file: ConsoleProxyServlet.java
> > private boolean verifyRequest(Map<String, Object[]> requestParameters) {
> > try {
> > ...
> > ...
> > unsignedRequest = unsignedRequest.toLowerCase();
> > Mac mac = Mac.getInstance("HmacSHA1");
> > SecretKeySpec keySpec = new
> SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> > mac.init(keySpec);
> > mac.update(unsignedRequest.getBytes());
> > byte[] encryptedBytes = mac.doFinal();
> > String computedSignature =
> Base64.encodeBase64URLSafeString(encryptedBytes);
> > boolean equalSig = signature.equals(computedSignature);
> > if (!equalSig) {
> > s_logger.debug("User signature: " + signature + "
> is not equaled to computed signature: " + computedSignature);
> > }
> > ...
> > ...
> > return equalSig;
> > } catch (Exception ex) {
> > s_logger.error("unable to verifty request signature", ex);
> > }
> > return false;
> > }
> > in this method, signature not equals to computedSignature, so it returns
> false
> > then, I view ApiServer.javaļ¼the verifyRequest method:
> > public boolean verifyRequest(Map<String, Object[]> requestParameters,
> Long userId) throws ServerApiException {
> > try {
> > ...
> > ...
> > unsignedRequest = unsignedRequest.toLowerCase();
> > Mac mac = Mac.getInstance("HmacSHA1");
> > SecretKeySpec keySpec = new
> SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> > mac.init(keySpec);
> > mac.update(unsignedRequest.getBytes());
> > byte[] encryptedBytes = mac.doFinal();
> > String computedSignature =
> Base64.encodeBase64String(encryptedBytes);
> > boolean equalSig = signature.equals(computedSignature);
> > if (!equalSig) {
> > s_logger.debug("User signature: " + signature + "
> is not equaled to computed signature: " + computedSignature);
> > }
> > ...
> > ...
> > return equalSig;
> > } catch (Exception ex) {
> > s_logger.error("unable to verifty request signature", ex);
> > }
> > return false;
> > }
> > these two verifyRequest method produce different signature, because the
> former use :
> > String computedSignature =
> Base64.encodeBase64URLSafeString(encryptedBytes);
> > while the later use:
> > String computedSignature = Base64.encodeBase64String(encryptedBytes);
> > this is why listAccouts works fine, but vnc console is failed.
> > when I replace Base64.encodeBase64URLSafeString by
> Base64.encodeBase64String, vnc console is ok too.
> > so I am confused, why use different encode method? It is a bug?
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.1#6144)
>